Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 228369 - dev-lang/php <5.2.6-r3: safe_mode bypass (CVE-2008-{2665,2666})
Summary: dev-lang/php <5.2.6-r3: safe_mode bypass (CVE-2008-{2665,2666})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://securityreason.com/achievement...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 234102
Blocks:
  Show dependency tree
 
Reported: 2008-06-19 15:15 UTC by Hanno Boeck
Modified: 2008-11-16 16:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-06-19 16:48:30 UTC
Hijacking this bug for all the other security-related bug fixes.

-r2 will hit the tree in the near future (maybe it'll take a few days), containing these fixes:

#1 safe_mode bypass by prepending http:// to paths (see initial description
   of this bug + securityreason advisories)

#2 Bug 221969 (insecure c-client api calls allow for buffer overflows)
   This IMO allows for local code execution (as such bypassing safe_mode etc.)
   and maybe eben remote code execution when processing specially-crafted mails.

#3 Crash in stream_context_set_params()
   http://bugs.php.net/44712

#4 Crash in class PDORow
   Commit msg: "Add check for avoid segfault when trying instantiate
                PDORow manually"

#5 Crash (double free) in Dom->setAttributeNode
   http://bugs.php.net/45251
   Commit msg: "fixed bug #45251 (double free or corruption with
                setAttributeNode())"

#6 Crash in array functions under certain circumstances
   http://bugs.php.net/45312
   Commit msg: "Fixed bug #45312 (Segmentation fault on second request for
                array functions)"

Only #2 looks a bit more serious to me, the others are just crashes or safe_mode bypasses.

There is no fix for issue #1, I'll bug upstream...
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-06-21 09:58:41 UTC
JFYI, issue #1 does not seem to be reproducible when enabling safe_mode via CLI (i.e. php -d safe_mode=on). It seems to work as expected in this case. If you want to reproduce it, use real files. :)
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-07-02 21:54:06 UTC
Ignore comment #1, we'll handle the other issues in bug 230575.
Initial issue still unfixed, I've got a patch which needs some testing and an OK from upstream.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-07-21 19:42:59 UTC
I proposed two patches and have further discussed this issue with Felipe Pena from upstream. My fix got committed [1], so I'm going to include it in our next patchset revision.
I'll wait some days to see if this causes some unwanted false positive safe_mode warnings though.

[1] http://news.php.net/php.cvs/51348
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-13 20:20:02 UTC
Updating whiteboard.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-16 16:14:57 UTC
GLSA 200811-05, thanks everyone, especially hoffie.